Trigona Ransomware Group Deploys Custom Exfiltration Tool for Data Theft

Trigona Ransomware Group Deploys Custom Exfiltration Tool for Data Theft

First seen 24 Apr 2026, 07:55 UTC DatabreachesBleepingcomputerGbhackersCybersecuritynewsScworld+4 87% similarity 71.0

Article Content

Browse articles
ThreatCluster

In March 2026, the Trigona ransomware group, which operates as a Ransomware-as-a-Service (RaaS), utilized a newly developed custom tool named 'uploader_client.exe' to enhance their data exfiltration capabilities. This tool allows for rapid and stealthy data theft, targeting high-value documents such as invoices and PDFs stored on network drives. The shift from commonly used utilities like Rclone and MegaSync to proprietary malware indicates a strategic move to avoid detection by security solutions. The attackers also employed the Huorong Network Security Suite tool HRSword to disable security measures on compromised systems, followed by the use of various other tools to facilitate credential theft and remote access. Notably, AnyDesk was used for remote access, while Mimikatz and Nirsoft tools were leveraged for credential harvesting. Despite disruptions to their operations in late 2023, Trigona affiliates have resumed attacks, indicating a persistent threat to organizations. Symantec has issued indicators of compromise (IoCs) to assist in detection and prevention efforts.

Key Points: • Trigona ransomware group has introduced a custom exfiltration tool for enhanced data theft. • The tool, 'uploader_client.exe', allows for rapid data transfer and evasion of security measures. • Recent attacks indicate a resurgence of Trigona operations despite previous disruptions.

ThreatCluster AI

Timeline

2022-10-01
Trigona ransomware first launched as a double-extortion operation.
2023-10-01
Ukrainian cyber activists disrupted Trigona operations.
2026-03-01
Trigona affiliates utilized 'uploader_client.exe' in new attacks.
2026-04-23
Symantec reports on the new custom tool and attack methods.
2026-04-24
Multiple cybersecurity outlets publish findings on Trigona's tactics.

Community

Browse all →